Most system and network administrators are very familiar with brute force attacks against their devices.  Every day, thousands of script kiddies and worms scan the Internet attempting to guess passwords for SSH, FTP, telnet, and other services.  A typical signature of these attacks is to see hundreds of failed attempts but only a few attempts per account.  In this case, the account is simply being tested for the simplest of passwords such a blank password, username as the password, or 'password' for the password.  Although typically futile on a properly administered network, these attacks are annoyances and create noise which may conceal real suspicious activity or even worse, successful intrusions.  

 The concept for blocking these attacks is quite simple.  Watch for multiple failed login attempts from the same IP and block that IP.  To be effective, this method of blocking must be automated.  BlockHosts (http://www.aczoom.com/cms/blockhosts) offers this functionality with a small footprint.  It is written in Python and simple to install.  BlockHosts is available in zip, gzipped, and RPM formats for installation in no more than 20 minutes given that Python is already installed.  It currently watches SSH and FTP logs for failed login attempts.  BlockHosts uses /etc/hosts.allow to implement the blocking mechanism.  The /etc/hosts.allow is typically used for basic access control by restricting the IPs or networks that can access specific services.  BlockHosts uses the spawn functionality to execute the BlockHosts python script every time someone connects to SSH or FTP.  This script can determine whether the connecting IP has failed to authenticate and write a deny entry into /etc/hosts.allow should the number of failure exceed a configurable threshold.  

Overall, the results are quite impressive.  I personally saw my Logwatch emails decrease from 20-30 pages of failed login attempts down to no more than 20 lines of failed attempts.  Prior to BlockHosts, reading the logs and monitoring emails was becoming so cumbersome, I often skipped that daily ritual.  With BlockHosts, reading log summaries is once again simple and effective.  BlockHosts is not a major upgrade to the security posture of a network.  However, it is a useful tool to eliminate noise created by script kiddies and worm throughout the Internet.  In addition, it would successfully block an actual directed brute force attempt.  If your attacker is determined enough to switch IPs, it will tremendously slow down the process making brute forcing either extremely slow or require massive resources such as a Botnet.